In my previous piece, Why Boards Still Don’t Ask the Hard Questions About Mission-Critical Risk, I explored why so few boards demand reporting on the risks and uncertainties that threaten an organization’s most important objectives. Like that piece, this one began with a social media post that sparked a strong reaction, because it points to a governance reality many know but rarely admit.
In a recent post, I posed a question that I believe cuts to the heart of modern risk governance: why haven’t most boards asked for reports on risk and uncertainty linked to the mission critical objectives that ultimately define whether organizations succeed or fail?
Third-party risk management is no longer a box to tick, it’s a survival strategy. But according to Mitratech’s latest global study, many organizations are still managing sprawling vendor ecosystems with outdated tools, limited visibility, and far too few resources.
In the latest piece from Norman Marks, the veteran governance, risk, and audit thought leader takes a bold leap into the near future, imagining how AI could fundamentally reshape decision-making, risk management, and the role of internal audit. Through a vivid crystal-ball scenario, Marks explores what happens when AI becomes a trusted partner for executives, operations, and assurance functions alike.
When JPMorgan Chase’s CISO took to the stage earlier this year and called on SaaS providers to “do better” on resilience, it wasn’t just another passing soundbite. It was a rare public signal from one of the most security-mature organizations on the planet — and the timing could not have been sharper.
In Norman Marks’ latest piece, he dives into the persistent misconception that cyber risk stands apart from broader business concerns. Drawing on timeless advice from former Protiviti executive Ed Hill and tying in new findings from Qualys’ 2025 cyber risk report, Marks makes the case for breaking down silos and treating cyber as just one of many risks competing for limited resources and executive attention.
Flaws in traditional enterprise risk management (ERM) and legacy internal audit (IA) practices aren’t exactly a secret. Risk registers, heat maps, and audits focused solely on internal control deficiencies may look tidy in a board report, but they rarely reflect how risk really works or how organizations actually fail.